Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: saml-1.0.0
    • Fix Version/s: saml-1.0.0.RC3
    • Component/s: saml
    • Labels:
      None
    • Environment:
      Package: Spring Security SAML v2 - 1.0.0-RC2-SNAPSHOT
      OS: CentOS release 5.4
      Web server: Tomcat 6

      Description

      I set the Spring Security SAML Extension as a 'SP' integrated with my web app. Single sign on works fine.

      When a user selects global log out from my web app, he is logged out both from SP and IDP and does not allow to access protected web pages again. This is right.

      But then a user selects log out from another web app (in the same trust circle). I checked from log that IDP sends samlp:LogoutRequest to SP, and SP sends back saml2p:LogoutResponse with Success to IDP. This user now is certainly logged out from IDP. But it seems this user session is not killed, this user still be able to access protected web pages!!! This is wrong.

        Attachments

          Activity

            People

            • Assignee:
              vsch Vladimir Schäfer
              Reporter:
              patch_78 patch
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: